Authentication method and apparatus for satellite navigation message and correction messages

ABSTRACT

A satellite navigation system-based authentication method includes generating first authentication information for performing authentication on a first message, generating second authentication information for performing authentication on a second message, and transmitting the second message by including the first authentication information and the second authentication information in the second message.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application claims the priority benefit of Korean PatentApplication No. 10-2022-0041773 filed on Apr. 4, 2022, and Korean PatentApplication No. 10-2023-0035964 filed on Mar. 20, 2023, in the KoreanIntellectual Property Office, the disclosures of which are incorporatedherein by reference for all purposes.

BACKGROUND 1. Field

The present disclosure relates to a satellite navigation system-basedmessage authentication method and an apparatus for performing the same.

2. Description of Related Art

Research on authentication technology for satellite navigation messagesand against the risk of spoofing attacks has been underway with thegrowth of services using satellite navigation messages. The proposedmethods vary depending on the satellites of respective countries becausethe technology may vary depending on the features of the satellites.Only Galileo of Europe is currently being pilot operated, but there areplans of proposing authentication methods for other satellites andapplying the methods to those satellites.

The above description has been possessed or acquired by the inventor(s)in the course of conceiving the present disclosure and is notnecessarily an art publicly known before the present application isfiled.

SUMMARY

An aspect provides technology for performing various types of navigationmessage authentication to correspond to a structure of satellitemessages.

Another aspect also provides technology for an authentication method oftransmitting authentication of a satellite navigation messagetransmitted at a low speed by including it in a precise correctionmessage transmitted at a high speed.

Another aspect also provides technology for fast authentication in ahigh-precision navigation service which needs to receive both asatellite navigation message and a precision correction message.

According to aspects, an authentication method may be selected asneeded, and authentication may be performed.

According to aspects, an applied hash function, a digital signaturealgorithm, and the length of a key may be selectively used.

However, technical aspects are not limited to the foregoing aspects, andthere may be other technical aspects.

According to an aspect, there is provided a satellite navigationsystem-based authentication method including generating firstauthentication information for performing authentication on a firstmessage, generating second authentication information for performingauthentication on a second message, and transmitting the second messageby including the first authentication information and the secondauthentication information in the second message.

The first message may be a message transmitted at a low speed and thesecond message may be a message transmitted at a high speed.

The first message may include a navigation message and the secondmessage may include a precise correction message.

A subframe of the first message may include a field for synchronizingthe second message with the subframe, and a subframe of the secondmessage may include a data part including the first authenticationinformation and the second authentication information.

The first authentication information may include a digital signature forthe first message and the second authentication information may includea digital signature for the second message.

An odd-numbered subframe of subframes included by the second message mayinclude authentication information on the odd-numbered subframe, and aneven-numbered subframe of the subframes included by the second messagemay include a concatenation of authentication information on a subframecorresponding to the even-numbered subframe of the subframes included bythe first message and authentication information on the even-numberedsubframe.

An even-numbered subframe of subframes included by the second messagemay include authentication information on a subframe corresponding tothe even-numbered subframe of the subframes included by the firstmessage, and an odd-numbered subframe of the subframes included by thesecond message may include a concatenation of the even-numbered subframeand the odd-numbered subframe.

An odd-numbered subframe of subframes included by the second message mayinclude authentication information on the odd-numbered subframe, and aneven-numbered subframe of the subframes included by the second messagemay include authentication information on a concatenation or anexclusive-or of the even-numbered subframe and a subframe correspondingto the even-numbered subframe of subframes included by the firstmessage.

According to an aspect, there is provided an apparatus configured toperform a satellite navigation system-based authentication methodincluding a memory including instructions and a processor electricallyconnected to the memory and configured to execute the instructions, inwhich the processor performs a plurality of operations when theinstructions are executed by the processor, and the operations includegenerating first authentication information for performingauthentication on a first message, generating second authenticationinformation for performing authentication on a second message, andtransmitting the second message by including the first authenticationinformation and the second authentication information in the secondmessage.

The first message may be a message transmitted at a low speed and thesecond message may be a message transmitted at a high speed.

The first message may include a navigation message and the secondmessage may include a precise correction message.

A subframe of the first message may include a field for synchronizingthe second message with the subframe, and a subframe of the secondmessage may include a data part including the first authenticationinformation and the second authentication information.

The first authentication information may include a digital signature forthe first message and the second authentication information may includea digital signature for the second message.

An odd-numbered subframe of subframes included by the second message mayinclude authentication information on the odd-numbered subframe, and aneven-numbered subframe of the subframes included by the second messagemay include a concatenation of authentication information on a subframecorresponding to the even-numbered subframe of the subframes included bythe first message and authentication information on the even-numberedsubframe.

An even-numbered subframe of subframes included by the second messagemay include authentication information on a subframe corresponding tothe even-numbered subframe of the subframes included by the firstmessage, and an odd-numbered subframe of the subframes included by thesecond message may include a concatenation of the even-numbered subframeand the odd-numbered subframe.

An odd-numbered subframe of subframes included by the second message mayinclude authentication information on the odd-numbered subframe, and aneven-numbered subframe of the subframes included by the second messagemay include authentication information on a concatenation or anexclusive-or of the even-numbered subframe and a subframe correspondingto the even-numbered subframe of subframes included by the firstmessage.

Additional aspects of example embodiments will be set forth in part inthe description which follows and, in part, will be apparent from thedescription, or may be learned by practice of the disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

These and/or other aspects, features, and advantages of the presentdisclosure will become apparent and more readily appreciated from thefollowing description of example embodiments, taken in conjunction withthe accompanying drawings of which:

FIG. 1 illustrates a Galileo I/NAV message format.

FIG. 2 illustrates a Galileo authentication data insertion position.

FIG. 3 illustrates an open service navigation message authentication(OSNMA) (authentication data) field configuration.

FIG. 4 illustrates a global positioning system (GPS) message structure.

FIG. 5 illustrates a GPS satellite navigation message and a spreadingcode binding.

FIG. 6 illustrates a chips message robust authentication (Chimera)digital signature format.

FIG. 7 illustrates a BeiDou D1 message format.

FIG. 8 illustrates a method of transmitting a signature for BeiDou D1.

FIG. 9 illustrates a BeiDou D2 message format.

FIG. 10 illustrates a BeiDou D2 message authentication method.

FIG. 11 illustrates a group time information authentication procedure ofa receiver of a BeiDou D2 message.

FIG. 12 illustrates a page authentication procedure of a receiver of aBeiDou D2 message.

FIG. 13 illustrates a structure of an authentication method of aquasi-zenith satellite system (QZSS).

FIG. 14 illustrates a QZSS message format.

FIG. 15 illustrates a procedure of generating QZSS signature data.

FIG. 16 illustrates an example of a structure of a first message that isan authentication target according to an embodiment.

FIG. 17 illustrates an example of a structure of a second message thatis the authentication target according to an embodiment.

FIG. 18 illustrates subframe synchronization of a first message and asecond message according to an embodiment.

FIG. 19 illustrates an authentication method 1 according to anembodiment.

FIG. 20 illustrates an authentication method 2 according to anembodiment.

FIG. 21 illustrates an example of a concatenation of an authenticationmethod 3 according to an embodiment.

FIG. 22 illustrates an example of an exclusive-or operation of theauthentication method according to an embodiment.

FIG. 23 illustrates a public key table according to an embodiment.

FIG. 24 is a flowchart illustrating a satellite navigation system-basedauthentication method according to an embodiment.

FIG. 25 is a schematic block diagram illustrating an apparatus accordingto an embodiment.

DETAILED DESCRIPTION

The following detailed structural or functional description is providedas an example only and various alterations and modifications may be madeto the examples. Here, examples are not construed as limited to thedisclosure and should be understood to include all changes, equivalents,and replacements within the idea and the technical scope of thedisclosure.

Terms, such as first, second, and the like, may be used herein todescribe various components. Each of these terminologies is not used todefine an essence, order or sequence of a corresponding component butused merely to distinguish the corresponding component from othercomponent(s). For example, a first component may be referred to as asecond component, and similarly the second component may also bereferred to as the first component.

It should be noted that if it is described that one component is“connected”, “coupled”, or “joined” to another component, a thirdcomponent may be “connected”, “coupled”, and “joined” between the firstand second components, although the first component may be directlyconnected, coupled, or joined to the second component.

The singular forms “a,” “an,” and “the” are intended to include theplural forms as well, unless the context clearly indicates otherwise. Asused herein, “A or B”, “at least one of A and B”, “at least one of A orB”, “A, B or C”, “at least one of A, B and C”, and “at least one of A,B, or C,” each of which may include any one of the items listed togetherin the corresponding one of the phrases, or all possible combinationsthereof. It will be further understood that the terms“comprises/including” and/or “includes/including” when used herein,specify the presence of stated features, integers, operations,operations, elements, and/or components, but do not preclude thepresence or addition of one or more other features, integers,operations, operations, elements, components and/or groups thereof.

Unless otherwise defined, all terms, including technical and scientificterms, used herein have the same meaning as commonly understood by oneof ordinary skill in the art to which this disclosure pertains. Terms,such as those defined in commonly used dictionaries, are to beinterpreted as having a meaning that is consistent with their meaning inthe context of the relevant art and are not to be interpreted in anidealized or overly formal sense unless expressly so defined herein.

Hereinafter, the examples are described in detail with reference to theaccompanying drawings. When describing the embodiments with reference tothe accompanying drawings, like reference numerals refer to likeelements and a repeated description related thereto will be omitted.

FIGS. 1 to 3 are diagrams illustrating an authentication method of aEuropean satellite navigation system (e.g., Galileo).

FIG. 1 illustrates a Galileo I/NAV message format, FIG. 2 illustrates aGalileo authentication data insertion position, and FIG. 3 illustratesan open service navigation message authentication (OSNMA)(authentication data) field configuration.

Referring to FIGS. 1 to 3 , regarding Galileo of Europe, anauthentication method for an I/NAV message, that is, a satellitenavigation message transmitted through an E1B channel having a 125-bpstransmission speed, is proposed.

As illustrated in FIG. 1 , a Galileo I/NAV message may include N (e.g.,a natural number greater than 1) frames. One frame may include 15subframes. The authentication of a satellite navigation message ofGalileo may be performed by dividing and transmitting authenticationdata (OSNMA) to reserved 40 bits of each subframe as illustrated in FIG.2 . A configuration of data transmitted to each subframe is asillustrated in FIG. 3 . Message authentication may be performed throughmessage authentication code (MAC) for a message. A secret key necessaryfor the MAC may be transmitted together with the MAC by using a TimedEfficient Stream Loss-Tolerant Authentication (TESLA) technique.Authentication of a root key of the TESLA technique may be performedthrough a digital signature. The message may be transmitted togetherwith a MAC value of the message and a key value used for the previousMAC. A receiver (e.g., a receiving device) may authenticate a TESLAtechnique root key by using a digital signature and verify a MAC valueof a previous message by using a key received together with a nextmessage. Galileo is using a complex secret key encryption method insteadof its short length due to limited data space.

FIGS. 4 to 6 are diagrams illustrating an authentication method based ona global positioning system (GPS) of the United States (US).

FIG. 4 illustrates a GPS message structure, FIG. 5 illustrates a GPSsatellite navigation message and a spreading code binding, and FIG. 6illustrates a chips message robust authentication (Chimera) digitalsignature format.

Referring to FIGS. 4 to 6 , Chimera is proposed as an authenticationmethod for a navigation message and spreading code transmitted through aCNAV-2 L1C channel in the US GPS.

Referring to FIG. 4 , a navigation message transmitted through an L1Cchannel may include N (e.g., a natural number greater than 1) frames.One frame may include three subframes and be transmitted at 100 bps over18 seconds.

Referring to FIG. 5 , in Chimera, authentication may be performed withnavigation message data and spreading code by being associated with eachother. Authentication of the spreading code may be performed byverifying a marker (e.g., a slow channel marker or a fast channelmarker) that has been inserted into the spreading code. Information onan inserted position of the marker and a value of the marker may besupported by a slow channel and a fast channel. The slow channel markermay be derived from a signature of navigation message data and the fastchannel marker may be separately supported by an out-of-bandauthenticated source (e.g., the Internet).

Referring to FIG. 6 , ten different pages are transmitted to a subframe3 of a message transmitted through the L1C channel, and the order of thepages transmitted may vary. An epoch of transmitting 10 pages may bereferred to as a Chimera epoch. Authentication may be performed bytransmitting one signature value of 10 messages in each Chimera epoch.As illustrated in FIG. 6 , a signature may be transmitted by beingdivided into pages 8 and 9 of the subframe 3. As described above, sincethe Chimera of the US GPS has a long transmission epoch ofauthentication information (e.g., a signature), an epoch ofauthentication may also be long.

FIGS. 7 to 12 are diagrams illustrating an authentication method basedon a satellite navigation system (e.g., BeiDou) of China. China's BeiDousatellite system may include a geostationary earth orbit (GEO), a mediumearth orbit (MEO), and an inclined geosynchronous orbit (IGSO). The MEOand the IGSO may use a D1 message format transmitted at 50 bps, and theGEO may use a D2 message format transmitted at 500 bps.

FIG. 7 illustrates a BeiDou D1 message (hereinafter, the D1 message)format.

Referring to FIG. 7 , the D1 message may include 24 frames and betransmitted for 12 minutes. One frame of the D1 message may include 5subframes.

FIG. 8 illustrates a method of transmitting a signature for BeiDou D1.

Referring to FIG. 8 , the D1 message may include basic navigationinformation (BNI) in three subframes (e.g., subframes 1, 2, and 3) amongfive subframes. In the authentication method of the D1 message,authentication information (e.g., a signature) on the BNI may betransmitted once in every 24 frames. A signature (e.g., a signaturegenerated by using an elliptic curve digital signature algorithm(ECDSA)) for the BNI corresponding to three subframes of frames 1 to 12of the D1 message may be divided into halves and transmitted to asubframe 5 of the frame 11 and a subframe 5 of the frame 12. Likewise, asignature (e.g., the signature generated by using the ECDSA) for the BNIcorresponding to three subframe of frames 13 to 24 may be divided intohalves and transmitted to the frames 23 and 24. Because a space to whicha signature value is transmitted is small in the authentication methodof the D1 message, a signature with lengthy authentication informationmay not be transmitted.

FIG. 9 illustrates a BeiDou D2 message (hereinafter, the D2 message)format.

Referring to FIG. 9 , the D2 message may include 120 frames. One framemay include five subframes and be transmitted at 500 bps. BNI may beincluded by 10 pages (e.g., word) and be divided into 10 subframes 1 andtransmitted over 30 seconds. The 10 subframes 1 are referred to as onegroup, and the one group may be a unit of authentication. The abovemethod may include an authentication method of a signal level.

FIG. 10 illustrates a BeiDou D2 message authentication method. Referringto FIG. 10 , group authentication information and page authenticationinformation may be generated from second-of-week (SOW) informationincluded by one group. Then, the generated group authenticationinformation may be encrypted through an SM4 symmetric key encryptionalgorithm using a 128-bit key and a generator polynomial of a spectrumspreading sequence (GPSSS) for spreading spectrum modulation. A 128-bitciphertext may be divided and inserted into an extra space in one group(10 subframes 1). In addition, a digital signature (e.g., Sig(BNI))generated through an SM2 algorithm for BNI may be generated, and thegenerated Sig(BNI) may be modulated through a GPSSS method together withthe page authentication information and become a 75-bit serialsynchronous interface (SSI). Then, the SSI may be included between asubframe 1 and a subframe 2 and transmitted.

FIGS. 11 and 12 are diagrams illustrating a detailed authenticationprocedure of a receiver in the BeiDou D2 method authentication methoddescribed above. FIG. 11 illustrates a group time informationauthentication procedure of a receiver of a BeiDou D2 message, and FIG.12 illustrates a page authentication procedure of a receiver of a BeiDouD2 message.

Referring to FIG. 11 , a receiver (e.g., a receiving device) maygenerate group authentication information from the SOW information of aprevious group (e.g., a group 1). Then, the receiver may extract groupauthentication information by decrypting a ciphertext received from anext group (e.g., a group 2) and authenticate group time information bycomparing whether the extracted group authentication information is thesame as the group authentication information of the SOW informationgenerated from the previous group.

Referring to FIG. 12 , the receiver may extract a signature and pageauthentication information by modulating an SSI by using the GPSSSinformation extracted from the ciphertext. Then, the receiver may verifythe extracted page authentication information by comparing the extractedpage authentication information with page authentication informationgenerated from the SOW information of a previous group (e.g., the group1). Finally, the receiver may verify the extracted signature byextracting an SM2 signature for BNI included by the previous group fromthe received SSI.

Although the BeiDou D2 message authentication method uses asignificantly fast channel of 500 bps, one minute or more time may berequired to authenticate initial BNI. A D2 message authentication methodmay go through a duplex and complex authentication procedure byrequiring SOW that is not a secret value to be encrypted and transmittedand be used for authentication while verifying integrity from asignature of BNI modulated by using a GPSSS. A secret key method used inthe D2 message authentication method may have the challenging task ofmutually sharing a key, which may be solved by allowing all receivers(e.g., receiving devices) to retain a master key and updating the keythrough a secure message system (SMS). Such a master key may not bedisclosed to the public and may be protected through an encryptionalgorithm that is exclusively retained by a receiving devicemanufacturer, but issues may be raised. For example, such a method ofprotecting the master key does not follow a general method of verifyingsafety by disclosing an encryption algorithm and of allowing a minimumnumber of keys to be maintained in secret. In addition, an attackerowning the receiving device may figure out the secret key by using themaster key. Also, all the manufacturers keeping the encryption algorithma secret may be unrealistic.

FIGS. 13 to 15 are diagrams illustrating an authentication method basedon Japan's satellite navigation system (e.g., a quasi-zenith satellitesystem (QZSS)).

FIG. 13 illustrates a structure of an authentication method of the QZSS,FIG. 14 illustrates a QZSS message format, and FIG. 15 illustrates aprocedure of generating QZSS signature data.

Referring to FIGS. 13 to 15 , proposed is a method of authenticatingnavigation data from all receivable satellites other than QZSSsatellites in the QZSS of Japan. As illustrated in FIG. 13 , amonitoring and control station may receive and extract navigation datafrom all receivable satellite signals (e.g., QZSS L1C/A, GPS L1C/A, orGalileo E1B). Then, an authentication data center (ADC) may generate adigital signature for the navigation data extracted by the monitoringand control station. The generated digital signature may instead enternavigation data space (e.g., a random access to NLETS data (RAND)message, a low-density parity check code (LDPC) parity bit, or otherdata) in the QZSS message format. When the signal generated as such maybe uploaded to a satellite by being included by a message format, theQZSS satellite may broadcast the generated signal to users through anL1S signal. An L1 S receiver (e.g., a receiving device) may identify asatellite that is an authentication target from a pseudo random number(PRN) identification (ID) and verify a digital signature for receivednavigation data.

The QZSS authentication method may use a method of generatingauthentication information on the ground not from the satellite,uploading the generated authentication information to the satellite, andbroadcasting it again. In addition, as illustrated in FIG. 15 , the‘digital signature’ in the QZSS authentication method may refer to anauthentication value as an LDPC encoding result not a cryptographicelectronic signature using a public key code, and thus, may not securecryptographic safety.

In examples described with reference to FIGS. 1 to 15 , the safestauthentication method now may be cryptographic technology. Anauthentication method using cryptographic technology may be divided intoa method of using a secret key code and a method of using a public keycode. The secret key code method may be complex while the length ofauthentication information (e.g., message authentication code (MAC))therein is relatively short, and the public key code method may besimple while the length of authentication information (e.g., a digitalsignature) therein is long.

In an authentication method of a satellite navigation message, anavigation message may generally use a channel of which the transmissionspeed is low. Authentication information providing cryptographic safetymay occupy a large space (e.g., a bit length) compared to a message, andthus, authentication may only be performed on a navigation message ofwhich the transmission speed is relatively high. Galileo of Europe usesthe secret key code method of which the length of authenticationinformation is relatively short due to lack of space and may transmitthe authentication information by dividing it into subframes.

In addition, a status of a high-precision satellite navigation servicesupporting a precision correction message is as Table 1 below, and anauthentication service for a navigation message in the high-precisionsatellite navigation service is yet to be supported.

TABLE 1 Data Transmission System Service Satellite Signal Speed StandardQZSS PPP-RTK IGSO/GEO 1.278 GHz 2,000 bps Compact CLAS (L6D) SSR GalileoPPP MEO 1.278 GHz   500 bps Compact Has (E6b) SSR GLONAS PPP MEO/IGSO1.207 GHz — — (L3) BeiDou PPP GEO 1.207 GHz   500 bps — (B2b I/Q)

Hereinafter, a satellite navigation system-based authentication methodand an apparatus for performing the same are described with reference toFIGS. 16 to 25 .

According to an embodiment, the apparatus (e.g., an apparatus 2500 ofFIG. 25 ) may perform the satellite navigation system-basedauthentication method. The apparatus 2500 may perform authentication ontwo messages of different channels by using a second message (aprecision correction message) transmitted at a high speed withoutincluding authentication information in a first message (e.g., asatellite navigation message and a navigation (NAV) message) transmittedat a low speed. The apparatus 2500 may perform a satellite navigationsystem-based method to be described below with reference to FIGS. 16 to24 . The apparatus 2500 may be implemented in a transmitter (e.g., atransmitting device) for performing communication through a satellite,in a receiver (e.g., a receiving device), and/or in the satellite.

For example, the NAV message may be based on a satellite navigationmessage format based on a Korean positioning system (KPS). Acentimeter-level service (CLS) message may be based on acentimeter-level augmentation service (CLAS) message format.

FIG. 16 illustrates an example of a structure of a first message that isan authentication target according to an embodiment.

Referring to FIG. 16 , the first message may be an NAV message that isan authentication target of a high-precision satellite navigationservice (e.g., the KPS). An NAV message 1610 may be transmitted at aspeed of 25 bps with an S band of 2-4 GHz. The NAV message 1610 mayinclude a plurality of frames 1630 (e.g., N frames, in which N is anatural number greater than 1). Each of the frames 1630 may include aplurality of subframes 1650 (e.g., 4 subframes). Each of the subframes1650 may be transmitted over several seconds (e.g., 12 seconds). Each ofthe subframes 1650 may include a sync part 1652 of M bits (e.g., 16bits, in which M is a natural number greater than 1) forsynchronization, a data part 1654 of 282 bits for an NAV message, and atail part 1656 of 6 bits. The data part 1654 of each of the subframes1650 may commonly include a tracker log message (TLM) field 1654_1, aSub ID field 1654_3, and a cyclic redundancy check (CRC) field. The restof 233 bits other than the commonly included fields may include adifferent item (e.g., a time of week counter (TOWC) field, an alertfield, and/or an auto NAV field) for each of the subframes 1650.According to an embodiment, the NAV message 1610 (e.g., the data part1654 included by each of the subframes 1650 of the NAV message 1610) mayfurther include a field (e.g., a Seq field 1654_7) for synchronizationwith the CLS message (e.g., a subframe 1730 of a CLS message of FIG. 17). The Seq field 1654_7 may be a field, which occupies N bits (e.g., 3bits, in which N is a natural number greater than 1) of spare bitsincluded by 233 bits, for authentication.

FIG. 17 illustrates an example of a structure of a second message thatis the authentication target according to an embodiment.

Referring to FIG. 17 , the second message may be a precision correctionmessage (e.g., the CLS message) that is an authentication target of ahigh-precision satellite navigation service (e.g., the KPS). The CLSmessage may be based on a precision correction message (e.g., a CLAS) ofa QZSS.

The CLS message may include a plurality of frames 1710 (e.g., N frames,in which N is a natural number greater than 1). Each of the frames 1710may include a plurality of subframes 1730 (e.g., 6 subframes). Each ofthe subframes 1730 may include N data parts 1750 (e.g., 5 data parts1750, in which N is a natural number greater than 1). Each of thesubframes 1730 of the CLS message may further include one data part N+1(e.g., 6) 1752 (hereinafter, a data part 1752 for authentication) forauthentication information, and one subframe 1730 may be transmittedover several seconds (e.g., 6 seconds).

Each of the data parts 1750 (e.g., a data part 1 and a data part 2) maybe 2000 bits and may include a satellite identifier (e.g., a PRN), aheader 1750_3 of 49 bits including a message identifier ID andReed-Solomon code 1750_5 of 256 bits for error correction in a data part1750_1 of 1695 bits. The types of data transmitted to each data part1750_1 may be classified by a data type field, and the number of datatypes may be M (e.g., 12 types, in which M is a natural number greaterthan 1). A data type (hereinafter, a data type for authentication) forauthentication information may be defined and included by the data part1752 for authentication.

The structure of the data type for authentication may be as Table 2below.

TABLE 2 Authentication Target NAV+ Field Bit Length Value/Meaning NAVCLS CLS Auth 2 1: NAV, 2: CLS, 3: V V V Target NAV + CLS GNSS ID 4 6(KPS) V V PRN 8 KPS PRN V V NAV 32  KPS NAV Header V V Header Hash ID 416 KISA recommended V V V algorithms Signature 1 0: ECDSA V V VAlgorithm 1: EC-KCDSA ID Key 2 0:224, 1:256, 2:384, V V V Length 3:512Public 5 32 public keys V V V Key ID NAV 448, 512, NAV message digital VV Signature 668, 1024 signature CLS 448, 512, CLS message digital V VSignature 668, 1024 signature

The data type for authentication may include authentication informationon an NAV message and/or authentication information on a CLS message asan authentication target. The authentication information may be adigital signature for the NAV message and/or the CLS message transmittedright before.

The data type for authentication may include a field for satelliteinformation (e.g., a global navigation satellite system (GNSS) ID and aPRN of Table 3). The data type for authentication may include respectivefields of a hash function identifier (a hash ID) used for a digitalsignature, a digital signature algorithm identifier (a signaturealgorithm ID), the length (a key length) of a key used for the digitalsignature, and the digital signature (an NAV signature and a CLSsignature). When the authentication information on the NAV messagebecomes an authentication target, for example, when a value of anauthentication target field is 1 or 3, the data type for authenticationmay also include a header field of the NAV message. A value of anidentifier of each field of the data type for authentication of Table 2may be pre-defined and shared by a satellite and a receiver. A hashfunction, a digital signature algorithm, and a key length that are usedmay follow the recommendations of the Korea Internet Security Agency(KISA), which may be available after 2030, and may be selectively used.The length of a digital signature (e.g., the NAV signature and the CLSsignature of Table 2) may vary depending on the length of a key to beused, and the length may be as Table 3 below.

TABLE 3 Authentication Target (Bit Length) Field NAV CLS NAV + CLSAuthentication 2 2 2 Target GNSS ID 4 4 PRN 8 8 NAV Header 32 32 Hash ID4 4 4 Signature 1 1 1 Algorithm ID Key Length 2 2 2 Public Key ID 5 5 5NAV Signature 448 512 768 1024 448 512 768 1024 CLS Signature 448 512768 1024 448 512 768 1024 Total 506 570 826 1082 462 526 782 1038 9541082 1594 2106

FIG. 18 illustrates subframe synchronization of a first message and asecond message according to an embodiment.

Referring to FIG. 18 , the first message may be a navigation message(e.g., an NAV message) that is an authentication target of ahigh-precision satellite navigation service (e.g., the KPS), and thesecond message may be a precision correction message (e.g., a CLSmessage) that is an authentication target of the high-precisionsatellite navigation service (e.g., the KPS).

As illustrated in FIGS. 16 and 17 , by adding the Seq field 1654_7 tothe NAV message and adding the data part 1752 for authenticationinformation to the CLS message, a transmission time of an NAV subframe1810 and a CLS subframe 1830 may be synchronized. As illustrated in FIG.18 , while the M (e.g., 1) NAV subframes 1810 are transmitted, N (e.g.,2) CLS subframes 1830 may be transmitted.

The generation and transmission of a digital signature may be performedselectively in one of the authentication methods to be described below.

FIG. 19 illustrates an authentication method 1 according to anembodiment. Referring to FIG. 19 , an apparatus (e.g., the apparatus2500 of FIG. 25 ) may perform the authentication method 1.

The apparatus 2500 may generate authentication information 1901 (e.g., adigital signature) on data parts (e.g., data parts 1 to 5) of anodd-numbered CLS subframe (e.g., a CLS subframe 1). The apparatus 2500may include the authentication information 1901 in a data part (e.g., adata part 6) for authentication of the odd-numbered CLS subframe.

The apparatus 2500 may generate authentication information 1903 (e.g.,the digital signature) on data parts (e.g., the data parts 1 to 5) of aneven-numbered CLS subframe (e.g., a CLS subframe 2). The apparatus 2500may generate authentication information 1905 (e.g., the digitalsignature) of an NAV subframe (e.g., an NAV subframe 1) synchronizedwith the even-numbered CLS subframe. The apparatus 2500 may concatenatethe generated pieces of authentication information 1903 and 1905 andinclude a concatenation of the authentication information 1903 and 1905in the data part (e.g., the data part 6) for authentication of theeven-numbered CLS subframe.

The apparatus 2500 may transmit a CLS message including pieces ofauthentication information (e.g., the authentication information 1901and the concatenation of the authentication information 1903 and 1905).

When the apparatus 2500 performs authentication by using theauthentication method 1, authentication may be rapidly performed byunits of one subframe. In this case, the length of authenticationinformation may increase by concatenating the pieces of theauthentication information 1903 and 1905. Accordingly, authenticationinformation generated through a 1024-bit key may not be included byeven-numbered CLS subframes due to a limited space.

FIG. 20 illustrates an authentication method 2 according to anembodiment. Referring to FIG. 20 , an apparatus (e.g., the apparatus2500 of FIG. 25 ) may perform the authentication method 2.

The apparatus 2500 may generate authentication information 2001 (e.g., adigital signature) of an NAV subframe (e.g., an NAV subframe 1)synchronized with an even-numbered CLS subframe (e.g., a CLS subframe2). The apparatus 2500 may include the authentication information 2001in a data part (e.g., a data part 6) for authentication of theeven-numbered CLS subframe.

The apparatus 2500 may generate authentication information 2003 (e.g.,the digital signature) by concatenating data parts (e.g., data parts 1to 5) of an odd-numbered CLS subframe (e.g., a CLS subframe 3) and thedata parts (e.g., the data parts 1 to 5) of a previous CLS subframe(e.g., a CLS subframe 2). The apparatus 2500 may include theauthentication information 2003 in the data part (e.g., the data part 6)for authentication of the odd-numbered CLS subframe.

The apparatus 2500 may generate authentication information on the dataparts (e.g., the data parts 1 to 5) of a CLS subframe (e.g., a CLSsubframe 1) and include the generated authentication information in thedata part (e.g., the data part 6) for authentication of the CLS subframe(e.g., the CLS subframe 1).

The apparatus 2500 may transmit a CLS message including pieces ofauthentication information (e.g., the authentication information 2001and 2003).

When the apparatus 2500 performs authentication by using theauthentication method 2, authentication information generated through a1024-bit key may be included by a data part for authentication of a CLSsubframe, but authentication time may increase compared to theauthentication method 1.

FIGS. 21 and 22 are diagrams illustrating an authentication method 3according to an embodiment.

FIG. 21 illustrates an example of a concatenation of the authenticationmethod 3, and FIG. 22 illustrates an example of an exclusive-oroperation of the authentication method 3.

Referring to FIGS. 21 and 22 , an apparatus (e.g., the apparatus 2500 ofFIG. 25 ) may perform the authentication method 3.

The apparatus 2500 may generate authentication information 2101 (e.g., adigital signature) on data parts (e.g., data parts 1 to 5) of anodd-numbered CLS subframe (e.g., a CLS subframe 1). The apparatus 2500may include the authentication information 2101 in a data part (e.g., adata part 6) for authentication of the odd-numbered CLS subframe.

The apparatus 2500 may generate authentication information 2103 (e.g.,the digital signature) by concatenating the data parts (e.g., the dataparts 1 to 5) of an even-numbered CLS subframe (e.g., a CLS subframe 2)and an NAV subframe (e.g., an NAV subframe 1) synchronized with theeven-numbered CLS subframe. The apparatus 2500 may include theauthentication information 2103 in the data part (e.g., the data part 6)for authentication of the even-numbered CLS subframe (e.g., the CLSsubframe 2).

The apparatus 2500 may generate authentication information 2203 (e.g.,the digital signature) by performing an exclusive-or on the data parts(e.g., the data parts 1 to 5) of the even-numbered CLS subframe and theNAV subframe (e.g., the NAV subframe 1) synchronized with theeven-numbered CLS subframe. The apparatus 2500 may include theauthentication information 2203 in the data part (e.g., the data part 6)for authentication of the even-numbered CLS subframe (e.g., the CLSsubframe 2).

As illustrated in FIG. 22 , when the apparatus 2500 performs anexclusive-or on messages and generates the authentication information2203, the length of a message may be adjusted by padding a bit string(e.g., 1000 . . . ) to a short message.

The apparatus 2500 may transmit a CLS message including pieces ofauthentication information (e.g., the authentication information 2101and the authentication information 2103 or 2203). For example, theapparatus 2500 may transmit the CLS message including the authenticationinformation 2101 and 2103 or the CLS message including theauthentication information 2101 and 2203.

When the apparatus 2500 performs authentication by using theauthentication method 3, the length of authentication information maynot increase because the authentication information 2103 and 2203 isgenerated by performing a concatenation or an exclusive-or on messages,and the authentication cycle may not increase. However, when theapparatus 2500 does not use a CLS message, authentication may not beperformed only by receiving an NAV message, and the apparatus 2500 mayalso need to store the CLS message for authentication.

FIG. 23 illustrates a public key table according to an embodiment.

Referring to FIG. 23 , a private key used for a digital signature may beconfidentially retained by a satellite, and a public key correspondingto the private key may need to be publicly shared with receivers.

Public keys respectively corresponding to public key identifiers (publickey IDs) may be stored in a table form. As shown in Table 3, a publickey ID is 5 bits, and thus, a table may store a maximum of 2⁵ publickeys. When a user (e.g., the apparatus 2500) of an authentication methoddesires to use different tables according to a digital signaturealgorithm (e.g., an ECDSA) and an elliptic curve-Koreancertificate-based digital signature algorithm (EC-KCDSA)) and a keylength, 2³ tables including 2⁵ public keys may be used because a digitalsignature algorithm ID is 1 bit and the key length is 2 bits.

When different encryption techniques are used for NAV authentication andCLS authentication to increase the safety of the authentication method,2³*2 tables may be used because respective public key tables for an NAVmessage and a CLS message are used.

When a public key used for a message is stored by using different tablesfor each of N satellites, a maximum of 2³*2*N tables may be used becausea maximum of 2³*2 tables is used for each of the N satellites. Thenumber of public key tables may be adjusted from 1N to 2³*2*N accordingto a renewal cycle of a public key and the lifespan of a satellite.

When using the authentication method (e.g., the authentication methods 1to 3), the apparatus 2500 may selectively use a hash function, a digitalsignature algorithm, and a key length as follows:

-   -   (1) the hash function: SHA-224, SHA-256, SHA-384, SHA-512,        SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384,        SHA3-512, LSH-224, LSH-256, LSH-384, LSH-512, LSH-512-224, and        LSH-512-256;    -   (2) the digital signature algorithm: the ECDSA and the EC-KCDSA;        and    -   (3) the key length: 224, 256, 384, and 512.

FIG. 24 is a flowchart illustrating a satellite navigation system-basedauthentication method according to an embodiment. Operations 2410 to2450 may be practically the same as the authentication method used bythe apparatus (e.g., the apparatus 2500) described with reference toFIGS. 16 to 24 .

In operation 2410, the apparatus 2500 may generate first authenticationinformation (e.g., the authentication information 1905 of FIG. 19 ) toperform authentication on a first message (e.g., a satellite navigationmessage and an NAV message).

In operation 2430, the apparatus 2500 may generate second authenticationinformation (e.g., the authentication information 1901 of FIG. 19 ) toperform the second message (e.g., a precision correction message (e.g.,a CLS))

In operation 2450, the apparatus 2500 may include and transmit the firstand second authentication information.

Operations 2410 to 2450 may be sequentially performed, but examples arenot limited thereto. For example, two or more operations may beparallelly performed.

FIG. 25 is a schematic block diagram illustrating an apparatus accordingto an embodiment.

Referring to FIG. 25 , an apparatus 2500 may be an apparatus forperforming a satellite navigation system-based authentication method.The apparatus 2500 may perform a satellite navigation system-basedmethod to be described below with reference to FIGS. 16 to 24 . Theapparatus 2500 may be implemented in a transmitter (e.g., a transmittingdevice) for performing communication through a satellite, in a receiver(e.g., a receiving device), and/or in the satellite. The apparatus 2500may include a memory 2510 and a processor 2530.

The memory 2510 may store instructions (or programs) executable by theprocessor 2530. For example, the instructions may include instructionsfor executing an operation of the processor 2530 and/or an operation ofeach component of the processor 2530.

The memory 2510 may include one or more computer-readable storage media.The memory 2510 may include non-volatile storage elements (e.g., amagnetic hard disk, an optical disc, a floppy disc, a flash memory, anelectrically programmable memory (EPROM), and an electrically erasableand programmable memory (EEPROM).

The memory 2510 may be a non-transitory medium. The term“non-transitory” may indicate that a storage medium is not embodied in acarrier wave or a propagated signal. However, the term “non-transitory”should not be interpreted to mean that the memory 2510 is non-movable.

The processor 2530 may process data stored in the memory 2510. Theprocessor 2530 may execute computer-readable code (e.g., software)stored in the memory 2510 and instructions triggered by the processor2530.

The processor 2530 may be a hardware-implemented data processing deviceincluding a circuit that is physically structured to execute desiredoperations. For example, the desired operations may include code orinstructions included in a program.

For example, the hardware-implemented data processing device may includea microprocessor, a central processing unit (CPU), a processor core, amulti-core processor, a multiprocessor, an application-specificintegrated circuit (ASIC), and a field-programmable gate array (FPGA).

The operations performed by the processor 2530 may be practically thesame as the satellite navigation system-based authentication methoddescribed with reference to FIGS. 16 to 24 . Accordingly, furtherdescription thereof is not repeated herein.

The examples described herein may be implemented using a hardwarecomponent, a software component and/or a combination thereof. Aprocessing device may be implemented using one or more general-purposeor special-purpose computers, such as, for example, a processor, acontroller and an arithmetic logic unit (ALU), a digital signalprocessor (DSP), a microcomputer, an FPGA, a programmable logic unit(PLU), a microprocessor or any other device capable of responding to andexecuting instructions in a defined manner. The processing device mayrun an operating system (OS) and one or more software applications thatrun on the OS. The processing device also may access, store, manipulate,process, and create data in response to execution of the software. Forpurpose of simplicity, the description of a processing device is used assingular; however, one skilled in the art will appreciate that aprocessing device may include multiple processing elements and multipletypes of processing elements. For example, the processing device mayinclude a plurality of processors, or a single processor and a singlecontroller. In addition, different processing configurations arepossible, such as parallel processors.

The software may include a computer program, a piece of code, aninstruction, or some combination thereof, to independently orcollectively instruct or configure the processing device to operate asdesired. Software and data may be stored in any type of machine,component, physical or virtual equipment, or computer storage medium ordevice capable of providing instructions or data to or being interpretedby the processing device. The software also may be distributed overnetwork-coupled computer systems so that the software is stored andexecuted in a distributed fashion. The software and data may be storedby one or more non-transitory computer-readable recording mediums.

The methods according to the above-described examples may be recorded innon-transitorycomputer-readable media including program instructions toimplement various operations of the above-described examples. The mediamay also include, alone or in combination with the program instructions,data files, data structures, and the like. The program instructionsrecorded on the media may be those specially designed and constructedfor the purposes of examples, or they may be of the kind well-known andavailable to those having skill in the computer software arts. Examplesof non-transitory computer-readable media include magnetic media such ashard disks, floppy disks, and magnetic tape; optical media such asCD-ROM discs, DVDs, and/or Blue-ray discs; magneto-optical media such asoptical discs; and hardware devices that are specially configured tostore and perform program instructions, such as read-only memory (ROM),random access memory (RAM), flash memory (e.g., USB flash drives, memorycards, memory sticks, etc.), and the like. Examples of programinstructions include both machine code, such as produced by a compiler,and files containing higher-level code that may be executed by thecomputer using an interpreter.

The above-described devices may act as one or more software modules inorder to perform the operations of the above-described examples, or viceversa.

As described above, although the examples have been described withreference to the limited drawings, a person skilled in the art may applyvarious technical modifications and variations based thereon. Forexample, suitable results may be achieved if the described techniquesare performed in a different order and/or if components in a describedsystem, architecture, device, or circuit are combined in a differentmanner and/or replaced or supplemented by other components or theirequivalents.

Therefore, the scope of the disclosure is defined not by the detaileddescription, but by the claims and their equivalents, and all variationswithin the scope of the claims and their equivalents are to be construedas being included in the disclosure.

What is claimed is:
 1. A satellite navigation system-basedauthentication method, the method comprising: generating firstauthentication information for performing authentication on a firstmessage; generating second authentication information for performingauthentication on a second message; and transmitting the second messageby comprising the first authentication information and the secondauthentication information in the second message.
 2. The method of claim1, wherein the first message is a message transmitted at a low speed,and the second message is a message transmitted at a high speed.
 3. Themethod of claim 2, wherein the first message comprises a navigationmessage, and the second message comprises a precise correction message.4. The method of claim 1, wherein a subframe of the first messagecomprises a field for synchronizing the second message with thesubframe, and a subframe of the second message comprises a data partcomprising the first authentication information and the secondauthentication information.
 5. The method of claim 1, wherein the firstauthentication information comprises a digital signature for the firstmessage, and the second authentication information comprises a digitalsignature for the second message.
 6. The method of claim 4, wherein anodd-numbered subframe of subframes comprised by the second messagecomprises authentication information on the odd-numbered subframe, andan even-numbered subframe of the subframes comprised by the secondmessage comprises a concatenation of authentication information on asubframe corresponding to the even-numbered subframe of the subframescomprised by the first message and authentication information on theeven-numbered subframe.
 7. The method of claim 4, wherein aneven-numbered subframe of subframes comprised by the second messagecomprises authentication information on a subframe corresponding to theeven-numbered subframe of the subframes comprised by the first message,and an odd-numbered subframe of the subframes comprised by the secondmessage comprises a concatenation of the even-numbered subframe and theodd-numbered subframe.
 8. The method of claim 4, wherein an odd-numberedsubframe of subframes comprised by the second message comprisesauthentication information on the odd-numbered subframe, and aneven-numbered subframe of the subframes comprised by the second messagecomprises authentication information on a concatenation or anexclusive-or of the even-numbered subframe and a subframe correspondingto the even-numbered subframe of subframes comprised by the firstmessage.
 9. An apparatus configured to perform a satellite navigationsystem-based authentication method, the apparatus comprising: a memorycomprising instructions; and a processor electrically connected to thememory and configured to execute the instructions, wherein the processorperforms a plurality of operations when the instructions are executed bythe processor, and the operations comprise: generating firstauthentication information for performing authentication on a firstmessage; generating second authentication information for performingauthentication on a second message; and transmitting the second messageby comprising the first authentication information and the secondauthentication information in the second message.
 10. The apparatus ofclaim 9, wherein the first message is a message transmitted at a lowspeed, and the second message is a message transmitted at a high speed.11. The apparatus of claim 10, wherein the first message comprises anavigation message, and the second message comprises a precisecorrection message.
 12. The apparatus of claim 9, wherein a subframe ofthe first message comprises a field for synchronizing the second messagewith the subframe, and a subframe of the second message comprises a datapart comprising the first authentication information and the secondauthentication information.
 13. The apparatus of claim 9, wherein thefirst authentication information comprises a digital signature for thefirst message, and the second authentication information comprises adigital signature for the second message.
 14. The apparatus of claim 12,wherein an odd-numbered subframe of subframes comprised by the secondmessage comprises authentication information on the odd-numberedsubframe, and an even-numbered subframe of the subframes comprised bythe second message comprises a concatenation of authenticationinformation on a subframe corresponding to the even-numbered subframe ofthe subframes comprised by the first message and authenticationinformation on the even-numbered subframe.
 15. The apparatus of claim12, wherein an even-numbered subframe of subframes comprised by thesecond message comprises authentication information on a subframecorresponding to the even-numbered subframe of the subframes comprisedby the first message, and an odd-numbered subframe of the subframescomprised by the second message comprises a concatenation of theeven-numbered subframe and the odd-numbered subframe.
 16. The apparatusof claim 12, wherein an odd-numbered subframe of subframes comprised bythe second message comprises authentication information on theodd-numbered subframe, and an even-numbered subframe of the subframescomprised by the second message comprises authentication information ona concatenation or an exclusive-or of the even-numbered subframe and asubframe corresponding to the even-numbered subframe of subframescomprised by the first message.